New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/fossil-server: init #102221
nixos/fossil-server: init #102221
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution. I have left a few comments I hope you find helpful. Additionally, it would be nice if the systemd
unit had some hardening options applied against it.
If you have any questions at all, please do not hesitate to ask. I'm happy to help.
config = mkIf cfg.enable { | ||
|
||
networking.firewall.allowedTCPPorts = [ cfg.port ]; | ||
systemd.services.fossil = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There isn't any real need to run this as root
. Maybe DynamicUser
would be a good choice instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the user
and group
options. I'm not sure if it's the best way, what do you think? The thing is that with customizable user/group, it's easy to manage permissions just by using chmod
/chown
and make fossil
see just what it needs to see. Also I'm not sure if DynamicUser
would persist between reboots which is desirable.
|
||
networking.firewall.allowedTCPPorts = [ cfg.port ]; | ||
systemd.services.fossil = { | ||
preStart = if lib.strings.hasSuffix ".fossil" cfg.repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should replace this directory creation with systemd.tmpfiles.rules
entries instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You made me rethink this, and IMHO the place where repository
points to should be created manually. Then, one can create/remove .fossil files as needed, and manage permissions etc.
|
||
jsmode = mkOption { | ||
type = types.str; | ||
default = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
types.enum
is what you're looking for here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's much cleaner, thanks - fixed
PrivateTmp = "yes"; | ||
NoNewPrivileges = true; | ||
ProtectSystem = "strict"; | ||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH"; | ||
RestrictNamespaces = "uts ipc pid user cgroup"; | ||
ProtectKernelTunables = "yes"; | ||
ProtectKernelModules = "yes"; | ||
ProtectControlGroups = "yes"; | ||
PrivateDevices = "yes"; | ||
RestrictSUIDSGID = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some options stolen from the nginx
and mysql
NixOS modules
Is there something to change?
Sorry I've been really busy. I'll try to get back to this at some point over the next few weeks. |
I marked this as stale due to inactivity. → More info |
User should manually create his Fossil repositories, then point the Fossil server to them.
Allows to control what the Fossil server sees by setting chowns on fs, and makes it persist between reboots
Otherwise Fossil can't write to the repository file/repositories directory
A test for clone, push and pull between server and client
Updated for 21.05 and added a test - please review! @aanderse @SuperSandro2000 |
Resolved one merge conflict :) |
I marked this as stale due to inactivity. → More info |
Is there no interest in this? |
@etu what is the best way to revive this attempt to get a Fossil service in Nix? |
You can continue the work in another PR. |
Motivation for this change
Fix #102220
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)